CMMC introduces stringent requirements for protecting Controlled Unclassified Information (CUI). Smaller contractors often need to consider a significant investment in IT infrastructure to meet these requirements if they are seeking CMMC certification at Maturity Level 3.
DHG’s CMMC Advisory team is working with many contractors to prepare for CMMC certification assessments, identifying five technology challenges required in Level 3 and above that are common among smaller contractors. FSi Strategies assist their clients with cloud implementations and technology solutions, outlining how cloud technologies can potentially address challenges.
Security Monitoring and Response
Not only can security monitoring and response be costly, it can also be difficult to implement and maintain - particularly in a traditional, on-premises technology environment. Cloud-native security monitoring offers pricing and operational efficiencies over independent third-party security and event management (SIEM) products, while still providing the required analysis of security alerts.
Expansive requirements for multifactor authentication typically require contractors to acquire additional infrastructure such as a radius server. However, cloud-native multifactor solutions can accommodate on-premise, remote and client site users without additional infrastructure. They are also much easier to implement and integrate with existing authentication directories.
Mobile Device Management
Often there are inconsistent controls regarding bring-your-own-device (BYOD) mobile devices used to access emails or other company information. Current solutions for on-premises email are also expensive and difficult to execute . Cloud-native mobile applications and device management solutions are more straightforward and less costly because you only pay for what you use. They represent an operating expenditure rather than a capital expenditure, which limits big upfront cost. In addition, cloud-native solutions for mobile device management can provide pin and encryption enforcement, data loss prevention and remote wipe capabilities.
Configuration Management and Hardening
Software required for configuration-state enforcement is expensive and difficult to implement. You may face disruptions or outages when enforcing hardening rules. Cloud-native configuration management tools can help simplify the creation of standard images. Many cloud providers have developed CMMC-compliant blueprints and security technical implementation guides (STIGs) to help clarify the CMMC’s meeting configuration management requirements.
Backup and Recovery Strategy
In addition to the existing NIST SP 800-171 standard, Protecting Controlled Unclassified Information In Nonfederal Information Systems and Organizations, CMMC adds backup and recovery requirements for contractors. This brings into scope the security of on-premise backups as well as in other virtualized cloud environments, and requires applicable storage repositories to be FedRamp Moderate Impact Level-compliant. Cloud-native backup and recovery tools – including multiregional redundancy, machine snapshot images, native backup monitoring, and automated recovery points – vastly reduce the amount of backup and recovery planning needed for CMMC requirements.
It’s clear that the cloud solutions can streamline IT operations and help organizations efficiently meet security requirements defined within the CMMC. However, it’s important to remember that no technology can solve all compliance challenges. All contractors and subcontractors considering a move to the cloud should be aware that CMMC readiness still requires ongoing technical and administrative processes and procedures to achieve full compliance.
FSi Strategies, located in Washington, DC and Herndon, VA is a user experience focused, Managed Service provider and recognized Gold Microsoft Partner with over 17 years of experience. As Microsoft Cloud experts, we provide strategic enterprise class Modern Workplace IT solutions that engage your employees, accelerate productivity and collaboration while optimizing your environment securely. We engage strategically with your team to modernize your environment through Planning & Design, Implementation, Training & Adoption, Change Management, IT Support and Cloud Licensing.
DHG ranks among the top 20 professional services firms in the nation, providing assurance, tax, and advisory services. With more than 2,000 professionals across the United States, the DHG team serves clients in 50 states and internationally.
To assist defense contractors, DHG Technology Compliance and DHG Government Contracting maintain a forward-thinking cybersecurity team with significant experience with NIST 800-171 and CMMC frameworks. Key members of the firm’s CMMC service team achieved Registered Practitioner status with the CMMC Accreditation Body and DHG is now a Registered Provider Organization (RPO) in the CMMC Marketplace. DHG is equipped to meet your specific Technology advisory needs. To learn more about DHG’s Technology Advisory services, visit dhg.com/services/advisory/technology-compliance.